A bug has let hackers steal numerous Twitter accounts from their
original owners.

@god, @emoji, and @vagina are among those that appear to have
been "jacked."

So what happened? According to multiple accounts on Twitter, a
flaw occurred when users tried to reset a password, and the
social network then showed users the full email address
associated with the account. (Normally, it is partially
asterisked out.)

With the Twitter handle and the email address behind it, you can
in some circumstances then gain access to the Twitter
account.

If the email address has expired, a hacker could re-register it,
then reset the password and take the account that way.
Alternately, if the email account is still active they can try
and hijack it another way — perhaps via social engineering (when
you trick people into revealing their email passwords).

For example, here are the most recent tweets sent by @God:

BI

@God normally tweets image macros and memes, and has more than
180,000 followers. The account's new "owner" indicates how they
got hold of the account — "recreating hotmails" — and thanks
Twitter for the "0day," hacker slang for a vulnerability that is
immediately exploitable.

Note: A Twitter user with the handle @by contacted Business
Insider to say that he is not @god, and did not exploit the bug.

A user called @bluedream says that Twitter had "a massive bug
that allowed people too [sic] see emails upon password reset" —
although he wasn't able to get any accounts himself.

BI

Another Twitter user corroborates this.

BI

The account @Emoji has suddenly started tweeting again, and
follows people tweeting about the bug. A source tells Business
Insider the account used to belong to someone in Japan.

@Vagina also appears to have been hijacked. Its only tweet, sent
seven hours ago, is "I'm a big fat juicy p***y," and the tweet
has been retweeted by other users talking about the bug.

By looking at the various accounts that the jacked accounts
follow, or are tweeting and being retweeted by, you can find
other accounts that appear to have been hacked over the last 12
or so hours. These include @miracles, @point, @just, @insert,
@nudes, @cocky, and @bass, as well as two-letter handles like
@3o.

So — who cares? Short, interesting, or "cool" handles for Twitter
(and other social networks platforms) can be a kind of status
symbol for some in hacker-y circles. People are even willing to
pay money for them, so there's a minor underground market in
jacking "OG" handles and selling them on. Brian Krebs, an
independent security journalist,
wrote a good piece on the phenomenon back in November 2015.

At least one user already appears to be trying to sell
three-character Twitter accounts for £100 each, though it's
unclear what handles they have access to (legitimately or
otherwise).

BI

At press time, the bug appeared to be fixed, with the password
reset form only showing partially obscured email addresses.

Business Insider has reached out to Twitter for comment and will
update this story when the company responds.